Lately, I've had a huge problem with targeted brute attacks against specific user accounts. In the past, they'd attempt several times from a single IP and get blocked by fail2ban. That no longer works. It seems now whoever is targeting me is rotating through a different IP with each attempt and fail2ban is useless. I have Carbonio behind an opnsense firewall that runs Crowdsec and blocks general known bad IP's with the free filters. That doesn't seem to help much. Any ideas how to prevent this? I'm getting locked out of my own account half the day these last couple days.
I experience the same problem. When my account gets locked by brute force attack I find the ip's in the log and filteres them.
I use this command to find them for a specific email address:
fgrep 'donald@duck.com' /opt/zextras/log/mailbox.log | fgrep ImapServer | fgrep 'nvalid credentials' | awk '{ f=index( $0, "oip=" ); l=index( $0, "via=" ); print substr( $0, f+4, l-f-5 ) }'
An automated solution would much appreciated.
Thanks
@diito The fact that the attacker is changing the source IP address makes this type of attack quite difficult to mitigate or even prevent, unfortunately. I am running crowdsec as well on my VPS, and the only solution I could think of is to use a script similar to the one by @hvillemoes, then try to identify a pattern in the rotating IPs.
However, this might prove not so useful, because in a few cases, I found that among the rotating IPs, there are legit IPs, and when I put them on blacklist, they blocked some service I use. So I decided to stop the script, because trying to identify patterns is quite time-consuming, and live with the situation (but admittedly I don't have experiences that many attacks, so YMMV).